search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
nft: Drop interface mask leftovers from post_parse callbacks
[iptables-mirror.git] / iptables / nft.h
blob8f17f3100a19083c86054f77ed69c150f47acf78
1 #ifndef _NFT_H_
2 #define _NFT_H_
3
4 #include "xshared.h"
5 #include "nft-shared.h"
6 #include "nft-cache.h"
7 #include "nft-chain.h"
8 #include "nft-cmd.h"
9 #include <libiptc/linux_list.h>
10
11 enum nft_table_type {
12 NFT_TABLE_MANGLE = 0,
13 NFT_TABLE_SECURITY,
14 NFT_TABLE_RAW,
15 NFT_TABLE_FILTER,
16 NFT_TABLE_NAT,
17 NFT_TABLE_BROUTE,
18 };
19 #define NFT_TABLE_MAX (NFT_TABLE_BROUTE + 1)
20
21 struct builtin_chain {
22 const char *name;
23 const char *type;
24 uint32_t prio;
25 uint32_t hook;
26 };
27
28 struct builtin_table {
29 const char *name;
30 enum nft_table_type type;
31 struct builtin_chain chains[NF_INET_NUMHOOKS];
32 };
33
34 enum nft_cache_level {
35 NFT_CL_TABLES,
36 NFT_CL_CHAINS,
37 NFT_CL_SETS,
38 NFT_CL_RULES,
39 NFT_CL_FAKE /* must be last entry */
40 };
41
42 struct nft_cache {
43 struct {
44 struct nft_chain *base_chains[NF_INET_NUMHOOKS];
45 struct nft_chain_list *chains;
46 struct nftnl_set_list *sets;
47 bool exists;
48 bool sorted;
49 bool tainted;
50 } table[NFT_TABLE_MAX];
51 };
52
53 enum obj_update_type {
54 NFT_COMPAT_TABLE_ADD,
55 NFT_COMPAT_TABLE_FLUSH,
56 NFT_COMPAT_CHAIN_ADD,
57 NFT_COMPAT_CHAIN_USER_ADD,
58 NFT_COMPAT_CHAIN_DEL,
59 NFT_COMPAT_CHAIN_USER_FLUSH,
60 NFT_COMPAT_CHAIN_UPDATE,
61 NFT_COMPAT_CHAIN_RENAME,
62 NFT_COMPAT_CHAIN_ZERO,
63 NFT_COMPAT_RULE_APPEND,
64 NFT_COMPAT_RULE_INSERT,
65 NFT_COMPAT_RULE_REPLACE,
66 NFT_COMPAT_RULE_DELETE,
67 NFT_COMPAT_RULE_FLUSH,
68 NFT_COMPAT_SET_ADD,
69 NFT_COMPAT_RULE_LIST,
70 NFT_COMPAT_RULE_CHECK,
71 NFT_COMPAT_CHAIN_RESTORE,
72 NFT_COMPAT_RULE_SAVE,
73 NFT_COMPAT_RULE_ZERO,
74 NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE,
75 NFT_COMPAT_RULE_CHANGE_COUNTERS,
76 };
77
78 struct cache_chain {
79 struct list_head head;
80 char *name;
81 };
82
83 struct nft_cache_req {
84 enum nft_cache_level level;
85 char *table;
86 bool all_chains;
87 struct list_head chain_list;
88 };
89
90 struct nft_handle {
91 int family;
92 struct mnl_socket *nl;
93 int nlsndbuffsiz;
94 int nlrcvbuffsiz;
95 uint32_t portid;
96 uint32_t seq;
97 uint32_t nft_genid;
98 uint32_t rule_id;
99 struct list_head obj_list;
100 int obj_list_num;
101 struct nftnl_batch *batch;
102 struct list_head err_list;
103 struct nft_family_ops *ops;
104 const struct builtin_table *tables;
105 unsigned int cache_index;
106 struct nft_cache __cache[2];
107 struct nft_cache *cache;
108 struct nft_cache_req cache_req;
109 bool restore;
110 bool noflush;
111 int8_t config_done;
112 struct list_head cmd_list;
113 bool cache_init;
114 int verbose;
115
116 /* meta data, for error reporting */
117 struct {
118 unsigned int lineno;
119 } error;
120 };
121
122 int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh,
123 int (*cb)(const struct nlmsghdr *nlh, void *data),
124 void *data);
125 int nft_init(struct nft_handle *h, int family);
126 void nft_fini(struct nft_handle *h);
127 int nft_restart(struct nft_handle *h);
128
129 /*
130 * Operations with tables.
131 */
132 struct nftnl_table;
133 struct nftnl_chain_list;
134
135 int nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, const char *tablename, void *data), void *data);
136 bool nft_table_find(struct nft_handle *h, const char *tablename);
137 int nft_table_purge_chains(struct nft_handle *h, const char *table, struct nftnl_chain_list *list);
138 int nft_table_flush(struct nft_handle *h, const char *table);
139 const struct builtin_table *nft_table_builtin_find(struct nft_handle *h, const char *table);
140 int nft_xt_fake_builtin_chains(struct nft_handle *h, const char *table, const char *chain);
141
142 /*
143 * Operations with chains.
144 */
145 struct nftnl_chain;
146
147 int nft_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters);
148 int nft_chain_save(struct nft_chain *c, void *data);
149 int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table);
150 int nft_chain_del(struct nft_handle *h, const char *chain, const char *table, bool verbose);
151 int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table);
152 int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *table, const char *newname);
153 int nft_chain_zero_counters(struct nft_handle *h, const char *chain, const char *table, bool verbose);
154 const struct builtin_chain *nft_chain_builtin_find(const struct builtin_table *t, const char *chain);
155 bool nft_chain_exists(struct nft_handle *h, const char *table, const char *chain);
156 void nft_bridge_chain_postprocess(struct nft_handle *h,
157 struct nftnl_chain *c);
158 int nft_chain_foreach(struct nft_handle *h, const char *table,
159 int (*cb)(struct nft_chain *c, void *data),
160 void *data);
161
162
163 /*
164 * Operations with sets.
165 */
166 struct nftnl_set *nft_set_batch_lookup_byid(struct nft_handle *h,
167 uint32_t set_id);
168
169 /*
170 * Operations with rule-set.
171 */
172 struct nft_rule_ctx {
173 int command;
174 };
175
176 struct nftnl_rule *nft_rule_new(struct nft_handle *h, struct nft_rule_ctx *rule, const char *chain, const char *table, struct iptables_command_state *cs);
177 int nft_rule_append(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, struct nftnl_rule *ref, bool verbose);
178 int nft_rule_insert(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, int rulenum, bool verbose);
179 int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, bool verbose);
180 int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, bool verbose);
181 int nft_rule_delete_num(struct nft_handle *h, const char *chain, const char *table, int rulenum, bool verbose);
182 int nft_rule_replace(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, int rulenum, bool verbose);
183 int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, int rulenum, unsigned int format);
184 int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *table, int rulenum, int counters);
185 int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format);
186 int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, bool verbose);
187 int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum);
188 bool nft_rule_is_policy_rule(struct nftnl_rule *r);
189
190 /*
191 * Operations used in userspace tools
192 */
193 int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes);
194 int add_verdict(struct nftnl_rule *r, int verdict);
195 int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx,
196 struct nftnl_rule *r, struct xt_entry_match *m);
197 int add_target(struct nftnl_rule *r, struct xt_entry_target *t);
198 int add_jumpto(struct nftnl_rule *r, const char *name, int verdict);
199 int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set);
200 int add_log(struct nftnl_rule *r, struct iptables_command_state *cs);
201 char *get_comment(const void *data, uint32_t data_len);
202
203 enum nft_rule_print {
204 NFT_RULE_APPEND,
205 NFT_RULE_DEL,
206 };
207
208 bool nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r,
209 enum nft_rule_print type, unsigned int format);
210
211 uint32_t nft_invflags2cmp(uint32_t invflags, uint32_t flag);
212
213 /*
214 * global commit and abort
215 */
216 int nft_commit(struct nft_handle *h);
217 int nft_bridge_commit(struct nft_handle *h);
218 int nft_abort(struct nft_handle *h);
219
220 /*
221 * revision compatibility.
222 */
223 int nft_compatible_revision(const char *name, uint8_t rev, int opt);
224
225 /*
226 * Error reporting.
227 */
228 const char *nft_strerror(int err);
229
230 /* For xtables.c */
231 int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, bool restore);
232 /* For xtables-arptables.c */
233 int nft_init_arp(struct nft_handle *h, const char *pname);
234 int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table, bool restore);
235 /* For xtables-eb.c */
236 int nft_init_eb(struct nft_handle *h, const char *pname);
237 void nft_fini_eb(struct nft_handle *h);
238 int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, bool restore);
239
240 /*
241 * Translation from iptables to nft
242 */
243 struct xt_buf;
244
245 bool xlate_find_match(const struct iptables_command_state *cs, const char *p_name);
246 bool xlate_find_protomatch(const struct iptables_command_state *cs, uint16_t proto);
247 int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl);
248 int xlate_action(const struct iptables_command_state *cs, bool goto_set,
249 struct xt_xlate *xl);
250 void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname,
251 bool invert);
252
253 /*
254 * ARP
255 */
256
257 struct arpt_entry;
258
259 int nft_arp_rule_append(struct nft_handle *h, const char *chain,
260 const char *table, struct arpt_entry *fw,
261 bool verbose);
262 int nft_arp_rule_insert(struct nft_handle *h, const char *chain,
263 const char *table, struct arpt_entry *fw,
264 int rulenum, bool verbose);
265
266 void nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw);
267
268 bool nft_is_table_compatible(struct nft_handle *h,
269 const char *table, const char *chain);
270 bool nft_is_table_tainted(struct nft_handle *h, const char *table);
271 void nft_assert_table_compatible(struct nft_handle *h,
272 const char *table, const char *chain);
273
274 int ebt_set_user_chain_policy(struct nft_handle *h, const char *table,
275 const char *chain, const char *policy);
276
277 #endif
Iptables mirro